Budgeting and preparing for ISO27k

 

Are you responsible for your organisation's information risk and security or cybersecurity budget? Are you busily putting the finishing touches to your FY 2023 budget request?

Budgeting is a stressful management task, figuring out the figures and anticipating tough battles ahead leading (usually) to a disappointing outcome and yet more problems resulting from inadequate investment. With clear signs of another global recession looming (as if COVID, climate change and the war in Ukraine weren't challenging enough already), tightened belt-buckles are the order of the day*.

A substantial part of information risk and security expenditure is (whatever we may believe as professionals) discretionary. The decision to go for ISO/IEC 27001 certification, for instance, flows largely from management's appreciation of the business value of investing in information risk and security management good practices. There may be specific drivers such as incidents, compliance pressures or demands from business owners, partners and current or prospective customers, but even then there are numerous options and factors to consider such as:

• The objectives for the Information Risk Management System - what it is expected to achieve for the organisation;
• Your strategy for information risk, security, privacy, compliance, assurance and all that jazz, forming the picture into which the IRMS will slot neatly; 
• How broadly or narrowly to scope the IRMS, and the rationale for that decision;
• At what pace to implement the IRMS;
• The implementation plan, preferably in detail for the first few months which probably means either drafting the architectural design or at least starting work on the specifications;
• What resources to assign to the implementation: you'll need a suitable project manager and team, perhaps back-filling the information risk and security function until the IRMS is up to speed;
• Priorities for this work relative to other business activities, objectives and requirements, making adjustments as necessary (both initially and as the project proceeds when stuff comes up);
• Alignment with other corporate projects and initiatives e.g. exploiting strategic opportunities to update various systems, policies and processes for security and other reasons (such as Corporate Social Responsibility, or Governance, Risk and Compliance, or Environmental, Social and Governance, or some other Scrabble version) at the same time;
• Change management aspects: does the organisation have the capacity and appetite to adopt and assimilate the IRMS, and to get the most value from it? Where are the likely speedbumps and roadblocks, and what can be done to smooth the way?
• Project risks - assuming things may not go entirely to plan, look for alternative approaches/choices, contingency arrangements, dependencies and critical decision points (e.g. how far throgh the process can you book the certification audits?).

Identifying and addressing all that, and more, means a shed-load of work for management. Not only must cunning plans be developed, they must be 'sold' to senior managers responsible for the big decisions about strategies, budgets, resourcing etc. plus peers in other corporate departments/functions since we are all, in effect, competing for slices of the same pie.

An important preliminary step, then, is to convince senior management that a 'management system' or 'governance framework' for information risk and security is more than just a matter of best practices or compliance. It gives managers the information and levers necessary to direct, guide and monitor information risk and security, supporting and enabling the achievement of business objectives. An ISO/IEC 27001 certificate from an accredited certification body is like a stamp of approval ... but there's more to it. You'll find plenty of clues in our business case for an ISMS on how to persuade management that implementation makes sense for the business. 

* If budget requests are normally cut, anticipate even more savage cuts this time around despite the most robust and convincing case you can muster, due to the economic doom and gloom. Four useful budget negotiation techniques are:

(1) Being clear about your absolute bottom line, the point below which you might as well resign because you simply cannot achieve your obligations to the organisation; 

(2) Horse-trading with your peers to find win-win opportunities, goal alignment and complementary approaches (you scratch my back ...);
 

(3) Pulling strings - building strong relationships and understanding with powerful, influential managers with shared interests in this area; and

(4) Reminding managers (a.k.a. risk owners, asset owners ...) about their personal accountability in respect of protecting and exploiting information. If they consciously elect to under-fund security, they may be held to account for that business decision.